oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: f2py insecure temporary file use

From: cve-assign () mitre org
Date: Fri, 7 Feb 2014 21:06:00 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Jakub Wilk reported insecure temporary file use in f2py.

numpy/f2py/__init__.py contains this code:

          fname = os.path.join(tempfile.mktemp()+'.f')

      f = open(fname,'w')

Can a CVE please be assigned if one hasn't been already?

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778
https://bugzilla.redhat.com/show_bug.cgi?id=1062009


Use CVE-2014-1858 only for the issue in the __init__.py file.

Use CVE-2014-1859 for the other temporary-file issues fixed by the
vendor in the
https://github.com/numpy/numpy/commit/0bb46c1448b0d3f5453d5182a17ea7ac5854ee15
commit.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS9Y9iAAoJEKllVAevmvmsmUgH/jW37Wa7Wp52niRfZ+5B3IR+
emZwCRGRhJKZVZKB3yWDPOLv7WPGsXMQUgRzNLI81U2ukGX5+ZDQCAvm2o5fed25
z90k82ER5lwmbosp87p/kKNtCTuLegijDczduBIV73fO3PwC1d+/JM5I4/DnTSM6
OWLRquY7giwDPiF5NvBrmDR6JocWOPVlbAHoIvLuxRFcYdFbqDaJe8Bt8hf2saQB
Phw/nIaladkNJOKR5sZM9+E3tVdP1MPCjmiMdASWktTP0fNrGMoBS24zTAQY5hgT
ApAW+6Y88igBbZ/aci5kvIo7ocdmw+ld7YNK46PMX8Cr4MsTJZX0X6V85HCzAJM=
=XwId
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: